Details

Description

Opening a widget in the gallery - causes a "Session Error" browser dialog to be displayed for each widget on the page during loading, repeated after a page refresh (as reported by Ate in WOOKIE-181). Seems there is a problem in the engine.js section of dwr. Doesn't appear to happen in tomcat 6*.

Scott Wilson
added a comment - 13/Sep/11 09:57 More info here for reference:
http://www.tomcatexpert.com/blog/2011/01/26/cross-site-scripting-xss-prevention-tomcat-7
I think its safer to turn off DWR's xss mechanism and leave on Tomcat 7's as there seems to be an issue with DWR's XSS detection and the two are in conflict.

Scott Wilson
added a comment - 12/Sep/11 22:34 OK how about this for a resolution:
For 0.9.1 Add an entry to the FAQ and README "known issues", and describe the Tomcat workaround disabling HTTP-only cookies
For 0.9.2 create a task to either update to DWR3.0, or replace with another framework (e.g. Atmosphere)

Paul Sharples
added a comment - 01/Jul/11 12:56 I can confirm that adding the following to the web.xml file stops the error appearing in tomcat 7...
<init-param>
<param-name>crossDomainSessionSecurity</param-name>
<param-value>false</param-value>
</init-param>
The warning is that it may open CSRF attacks, according to the above link. Should we just add a note to the Known issues of RELEASE_NOTES? (as we are hoping to replace dwr very soon anyway?)